CVE-2021-44531 in nodejs and Oracle Products

CVE-2021-44531 in nodejs and Oracle Products
Published on February 24, 2022

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

Weakness Type

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

Products Associated with CVE-2021-44531

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-44531 are published in these products:

Affected Versions

Version 4.0 and below 4.* is affected.

Version 5.0 and below 5.* is affected.

Version 6.0 and below 6.* is affected.

Version 7.0 and below 7.* is affected.

Version 8.0 and below 8.* is affected.

Version 9.0 and below 9.* is affected.

Version 10.0 and below 10.* is affected.

Version 11.0 and below 11.* is affected.

Version 12.0 and below 12.22.9 is affected.

Version 13.0 and below 13.* is affected.

Version 14.0 and below 14.18.3 is affected.

Version 15.0 and below 15.* is affected.

Version 16.0 and below 16.13.2 is affected.

Version 17.0 and below 17.3.1 is affected.

Exploit Probability

EPSS

0.08%

Percentile

22.78%